Using Policies in ScriptRock to monitor nodes

Nov 1, 2015 • Jonathan Frappier

In my last post, I took a look at using ScriptRock to compare two nodes to see if their configuration state was identical. While this might be useful for troubleshooting scenarios, in my last example ensuring a Domain Controller was configured properly, you wouldn’t want to assume that a particular node is configured as desired at any given point in time - even if it is working as expected.

Consider a simple example of a web server. You may want to require HTTPS on some or all of the directories on the web server, however maybe a junior admin as removed this setting while troubleshooting and doesn’t revert back to the original configuration. Now, both HTTP and HTTPS will work. Is the node in the desired state? Well it works but it isn’t where you want it to be, and as such using this node as your reference might lead to other nodes being configured incorrectly.

The nice folks at ScriptRock have taken this into account and allow you to create policies to ensure nodes have the correct configuration. You can still use a known good node as a reference host to create the policy, however going forward the policy is its own item, and you don’t rely on the original node to be in the correct state. In fact, you can use the policy from your reference node, on your reference node to ensure no unwanted changes have been made. Let’s take a look.

If you haven’t already, add a node or two to ScriptRock (see my previous post - the examples are most useful with at least two nodes), now find the scan that you want to use as your policy. Here you can see I am using my Domain Controller again as a reference and have my scan from today selected.

Right click on the solid grey circle

Go to Add to Policy >> All Nodes (or the group of your choice) >> New Policy. Enter a name for your policy, for example “Public IIS” or “Corporate DC” and click the build button. After a few moments, it will analyze the nodes in the folder you selected. Of course the reference node in this case should pass 100% as you see here

A blue notice bar has also appeared at the top alert you that the policy has been appled to, in my case the Windows group, and it affects two nodes. Let’s take a look at the other node. Navigate back to the your list of nodes (Nodes >> All Nodes or the group you selected) and I am going to click on the vxprt-iaas01 node which I added because I wanted another node that wouldn’t match for testing/demo purposes.

Since I compared two nodes I knew were dissimilar, I see several failed checks as you might expect. Hopefully if you are comparing production nodes that should be the same you are not finding many failures!

While the ability to compare two nodes on the fly while troubleshooting is certainly useful, being able to create policies to ensure all nodes match the desired state you originally configured is a great feature, not only when you are on call and get paged at 2A.M. but to ease the pain/concerns during those annual security audits. If you didn’t read the last post, it is probably also worth noting that ScriptRock is free for up to 10 nodes!

Recently ScriptRock announced their service is completely free for up to 10 nodes, when I say completely there are no features you have to pay for unlike other freemium offerings. ScriptRock allows you to monitor the configuration of your infrastructure including Windows, and Linux servers, AWS instances, and other cloud services. A really interesting new feature, if you have been interested but not sure how to get started with something like Ansible, is the ability to create an Ansible role/playbook from a monitored host. There is quite a bit you can do with ScriptRock, so let’s start by taking a look at how to compare two nodes.

Upguard (formerly ScriptRock) recently announced a new, free, vulnerability scanner available within their solution. Years ago, Nessus was the defacto tool here but more recently has been commercialized. OpenVAS seems to be the new hotness for Open Source vulnerability scanning but is yet another product to introduce into the environment. In my previous two posts (compare / policies) I added two nodes to ScriptRock, I’ll use these again for testing the vulnerability scanner. If you have not already add a couple of hosts to ScriptRock before you proceed.